论文信息 - SP 800-65. Integrating IT Security into the Capital Planning and Investment Control Process

SP 800-65. Integrating IT Security into the Capital Planning and Investment Control Process

Traditionally, information technology (IT) security and capital planning and investment control (CPIC) processes have been performed independently by security and capital planning practitioners. However, the Federal Information Security Management Act (FISMA) of 2002 and other existing federal regulations charge agencies with integrating the two activities. In addition, with increased competition for limited federal budgets and resources, agencies must ensure that available funding is applied towards the agencies' highest priority IT security investments. Applying funding towards high-priority security investments supports the objective of maintaining appropriate security controls, both at the enterprise-wide and system level, commensurate with levels of risk and data sensitivity. This special publication introduces common criteria against which agencies can prioritize security activities to ensure that corrective actions identified in the annual FISMA reporting process are incorporated into the capital planning process to deliver maximum security in a cost-effective manner.

[1] Marianne Swanson,et al. Guide for Developing Security Plans for Information Technology Systems , 1998 .

[2] Marianne M. Swanson,et al. Recommended Security Controls for Federal Information Systems , 2005 .

[3] G. Stoneburner,et al. Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[4] Timothy Grance,et al. Guide to Information Technology Security Services , 2003 .

[5] Marianne Swanson,et al. Security Self-Assessment Guide for Information Technology Systems , 2001 .

[6] Shirley Radack,et al. Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems , 2004 .

[7] William C. Barker. Guideline for Identifying an Information System as a National Security System , 2003 .

[8] Paul Solomon,et al. Appendix C: American National Standards Institute (ANSI)/Electronics Industries Alliance (EIA) Standard-748, Earned Value Management Systems (EVMS) Guidelines , 2006 .